Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-08-02 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Diary Update for Cisco Greeting and ARCserve Exploits and Scanner; Regular Diary: Kismet / Metasploit / New Buffer overflows ARCserve/ New Nigerian Scam / Google update / PwStealers project / Power Ou

Published: 2005-08-02
Last Updated: 2005-08-03 14:34:46 UTC
by Pedro Bueno (Version: 1)
0 comment(s)


Diary update



Cisco Greeting


It has been reported and confirmed that folks attempting to log into Cisco's website were met with the following greeting:



"Cisco has determined that Cisco.com password protection has been compromised.


As a precautionary measure, Cisco has reset your password. To receive your new password, send a blank e-mail, from the account which you entered upon

registration, to cco-locksmith@cisco.com. Account details with a new random password will be e-mailed to you.


If you do not receive your new password within five minutes, please contact the Technical Support Center.


This incident does not appear to be due to a weakness in Cisco products or technologies"

It appears that this was limited in the scope and time that it was appearing. We don't have further details at this time. If anyone has any information
to add, please let us know

ARCserve Exploits and Scanner


If you haven't already patched your BrightStor ARCserve Backup software, now would be a really good time. At least three different exploit codes and the
code for a scanner have now been released. Farther down in the diary, you will see the links for where you can get your patches for these vulnerabilities.

Here is how CA rates this vulnerability



Threat Assessment


Overall Risk: High

Impact: Critical

Popularity: Medium

Simplicity: Medium

Regular Diary


Kismet / Metasploit






We received some questions about the vulnerabilities on Kismet, disclosed at DefCon. The Kismet Wireless website, includes the following message:





"Mon Aug 01 2005 - Fixes to the announced vulnerabilities in Kismet are in progress (pending info) tonight, stay tuned for a big announcement when the vulns are fixed.
"




References: http://www.kismetwireless.net/





There was also some discussion about the suppose vulnerability on Metasploit framework disclosed at DefCon. It was assigned the Bugtraq ID of 14431.






"Metasploit Framework is prone to an unspecified vulnerability. This issue allows remote attackers to compromise the computer of users using the affected application."





References: http://www.securityfocus.com/bid/14431/info

UPDATE: from Security Focus website:



This BID has been retired as it been determined that the issue is not a vulnerability. Additional information has been provided that states the issue is a due to insufficient filtering of potentially malicious terminal escape sequences when logging external input. These escape sequences are not interpreted at any point by the application, and only pose a threat if rendered with an external viewer within a terminal emulator program that will interpret them. In that instance, this presents a security vulnerability in the terminal emulator program. As Metasploit does not interpret the malicious input itself, it is not within the scope of the application to filter this type of input. This is not a vulnerability in Metasploit since it does not impact security properties of the application itself.


at: http://www.securityfocus.com/bid/14431/discuss





Same kind of information was issued for the CANVAS suite.
With a Bugtraq ID of 14446






"Immunity CANVAS is prone to an unspecified vulnerability. This issue allows remote attackers to compromise the computer of users running the affected application."





References: http://www.securityfocus.com/bid/14446/info




Brian Krebs wrote about these in his blog as well, after attending the Shmoo Group track at Defcon. Good reading.


References: http://blogs.washingtonpost.com/securityfix/2005/07/patching_your_e.html





There was also some discussion about it at the Daily Dave Mailling List, if you want to follow.




References: https://www.immunitysec.com/pipermail/dailydave/2005-August/002266.html





There are not much info about these yet, but we recommend you to be careful when using these tools, doing your 'tests'...:)





New Buffer overflows ARCserve




New Buffer overflows on BrightStor ARCserve Backup and BrightStor Enterprise Backup application agent code used on Windows platforms.





The security update can be downloaded from:





BrightStor ARCserve Backup r11.1 for Windows:
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO70767

BrightStor ARCserve Backup r11.0 for Windows:
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO70769

BrightStor ARCserve Backup v9.01 for Windows:
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO70770

BrightStor Enterprise Backup v10.5 for Windows:
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO70774

BrightStor Enterprise Backup v10.0 for Windows:
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO70773





New Nigerian Scam




We got a example of another Nigerian Scam. This time they are trying to help us!:)





"Presently we discovered that some certain miscreants pose as
Bank/government officials to defraud innocent people off their hard
earn money."




"Help fight crime to make this earth a better place to live in."





Oh, came on...Does any one believe on this kind of scam yet?:)
(ok...I know the answer...)







Google update




About Lorna's yesterday diary, we received some requests to include the url which the data was stored. We are not announcing the site in question as we are attempting to protect the private information.





PwStealers project




Ok, this is a request for PwStealers samples for an article that I am writing...so, if you get some, could you please .zip with infected password and subject pwstealer ?:) .






Power Outage Fun




One of the ISC handlers had the fun of dealing with a pretty major power
outage this afternoon. The building that he works in has office areas, the
primary IT data center for his campus, as well as the regional law
enforcement dispatch. Most of the office areas have deskside UPS units to
help protect the more expensive workstations (such as sun workstations) or
the more critical computers that are located in the office. As this
building was outfitted in recent years with a natural gas based generator,
and has a large scale UPS for the data center, there should not have been
much more then a blip on the radar screen today. Right? Wrong.



The data center UPS has functioned quite well throughout, with the only
reason to shutdown servers was to limit the amount of heat being
generated. The deskside UPS units were sized in such a way that those
important office systems could handle any fluxuations caused by the power
outage itself, as well as any problems with the generator adjusting as it
phases in and out of the utility power.



Though the generator does undergo routine tests, the generator failed to
bring the building power back in a timely matter. Apparently, the
building load was high enough (due to summer heat and the large number of
new servers being brought online in the new fiscal year) that it would
automatically trip itself with an overload condition each time it tried to
take over. The facilities management personnel eventually used the various
building breakers to turn off the AC for the datacenter (which is not on
the UPS), lights, and a few other of the large breakers. Then they were
able to force the generator to take the building load, and slowly flip
back on some of the building level breakers. That allowed the generator
to slowly take over the load in a way it could handle. I am almost
certain that there will be discussions with the manufacturer and the
facilities management about how to avoid this issue again and wether there
is anything that can test for this type of event.



The other notable event comes from the systems administrators of the large
installation servers in the data center. Recently, most of them have
received the nice new deskside UPS units to help protect their
workstations in the office. Half of them had dutifully installed these new
UPS units, while others had not taken the time to do so, or were just
waiting for the next power outage to force them to take down their
workstation so they could re-cable things in their office. Unfortunately,
some of the ones who had installed their UPS did so incorrectly. One
particular one had went as far to plug his windows computer and monitor
into the battery backed-up plugs and accidentally had the LCD panel and Sun
workstation plugged in on the surge suppressed side. Another installed
things correctly, but had installed the vendor supplied software on his
windows computer (with the LCD) but hadn't configured it. A third had
intended to use one of the systems in the data center to secure shell into
his workstation and shut it down gracefully, but failed to ever have the
host-based firewall rules (or was it tcp wrappers) configured to allow
connections originating from the datacenter back into the workstation.



Thankfully, no perceived damage has occurred to any of the workstations,
and the outage last maybe 30 minutes prior to the generator finally taking
on the full load. (They were still on generator power at last check and
there may be further problems as the generator phases back out to utility
power.)



In all of this, the ISC handler noted that many unexpected difficulties
were just that....unexpected. The company he works for had had actually
planned for power outages (especially weather related ones), so their
standard operating procedure had come into play for the data center. The
sysadmins had however not planned as thoroughly on their office
workstations. Things like having monitors (or printers) plugged into the
battery port, or having the more critical workstation plugged into the
surge suppressed port can be seen as simple oversights. The individual
who had not configured the security in such a way as to allow remote
administration from the data center, probably had the right idea, but had
failed to test it (until today). And the one individual who had his
windows computer using vendor supported software configured to shutdown
within 5 minutes of a power outage also had the right idea, but failed to
think through the process of "Oh, I need the windows computer and LCD up
long enough that I can shutdown down the unix system. Don't need to let
the automatic software to kick in a predetermined time, just need to start
auto shutdown procedure if after work hours, or the battery is reporting 5
minutes left to go.".



To you our readers, this is an excellent time to consider a few questions
concerning your standard operating procedures. Here are a few questions
asked by the ISC handler who experienced this today.



* If this event had been weather related, or had occured at a time when
only the operations staff were in the office, would the on-hand staff know
what to do, who to call?


* If you have deskside units, have you configured the automatic shutdown
software properly?


* And for part of the security piece of this, have you configured the
firewall rules, tcpwrappers, etc etc, in such a way that you can
gracefully shutdown from a remote location (home or other designated
location)?


* Do you know for fact that the network will be up if you needed to
shutdown across the network (including that little 4 or 8 port switch in
your office)?


* Have you actually planned what to do in the event of an emergency or
disaster?


* Are your generators physically secured and checked routinely in the case
of vandalism or other similar problems?



If you haven't planned for the unexpected, it will eventually get you.




----------------------------------------------------------------------

Handler on Duty: Pedro Bueno - pbueno %% isc. sans. org
Keywords:
0 comment(s)
Diary Archives